Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

Personal Tracking Devices Expose Public Privacy Risk

A study by Rapid7 finds multiple vulnerabilities in Bluetooth tracking technologies, leading to possible security breaches as IoT device use continues to rise.

Small tags embedded with Bluetooth Low Energy have become increasingly popular in recent years as a way for consumers to track things such as car keys or other small items. There is only one small problem: They're also potentially a larger public privacy risk, according to new research released Oct. 25 by security firm Rapid7.

Among the trackers Rapid7 looked at is the TrackR Bravo device, which was found to have four unique vulnerabilities, including cleartext password storage (CVE-2016-6538), Tracking ID exposure (CVE-2016-6539), unauthenticated access (CVE-2016-6540) and unauthentic pairing (CVE-2016-6541) vulnerabilities.

"Originally, I became interested in conducting this research because I continually saw these devices attached to people's key chains," Deral Heiland, research lead at Rapid7, told eWEEK. "I did not have a specific result in mind when I set out to do this research; however, given the state of IoT [internet of things] security, I was curious about the extent of personal information that was being exposed, and what security implications were being created due to that exposure."

Rapid7 conducted its operational analysis of the Bluetooth tracking products by using multiple tools including Burpsuite to intercept communication between the cloud and mobile applications, Heiland said. Additionally, the Rapid7 researchers used Nordic Bluetooth Low Energy (BLE) tools on Mac and smartphones combined with the Bluefruit LE sniffer to analyze the BLE communication and pairing process and identify attributes used during operations.

Further reading

A core area of weakness overall in Bluetooth is the fact that it is not encrypted, and, as such, communications potentially can be intercepted and read.

"When the devices are initially paired, they derive a long-term key using a key-exchange protocol," Heiland explained. "If you eavesdrop during this exchange, you can get in between the pairing process and can decode the communication."

Heiland added that the Bluefruit LE sniffer tools make this simple when analyzing two devices and their communication.

While Rapid7 has found issues with Bluetooth trackers, Heiland noted that the average person may not encounter abuse of these devices related to their privacy. That said, he noted someone with a higher profile—such as someone in the government, business or entertainment sector—or someone currently having issues such as harassment or stalkers may want to avoid the use of these devices because of the elevated risk of abuse.

TrackR said no user data has been compromised, as far as the company is aware.

"As we work in a fast-moving and exciting market, we try to constantly improve our product and satisfy our customers," Chris Herbert, CEO of TrackR, wrote in an email to eWEEK. "Like other IoT companies large and small, we also have to keep pace with the ever-evolving threats which are redefining IT security.

"We were aware of all but one of these issues and have resolutions in place for all the issues identified," Herbert added.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.